Phishing attacks: Measuring your Susceptibility

By
James Moore,
8 August 2013

Phishing is a growing threat to organisations who have more to lose now than ever.

Phishing attacks are designed to deceive individuals into providing sensitive information such as passwords to a malicious third-party, or into performing actions such as downloading malware designed to give an attacker remote control over the victim’s computer. Worryingly, these attacks are becoming increasingly sophisticated, to the extent that often neither the individual nor the organisation to which they belong is even aware that an incident has occurred until it is too late.

Typically, these attacks take the form of an email that appears to come from a legitimate entity (for example, an online bank or email account), in order to gain the individual’s confidence, so that they then follow a link and divulge sensitive information. As an Information Security company, we have witnessed these types of breaches occurring ever more frequently, in line with the growth of online services, such as banking and social media.

Certainly the kind of information that it is now possible for attackers to intercept over the internet and company intranets makes these attacks very lucrative. Additionally, there is a low barrier to entry as phishing attacks such as this are relatively straightforward to implement and difficult to track and prevent.

Phishing: The unknown

If a phishing attack were launched against your organisation today, would your employees be susceptible?

Within many organisations, the susceptibility of employees to phishing attacks is largely unknown. Whilst security testing is now commonplace within organisations and the adoption of common security controls is widespread, there is not a widely-adopted approach to sustainably reducing the risks from phishing threats over the long-term. Whilst policies and processes are often in place to help an organisation react to a phishing attack, the effectiveness of any internal reaction to a legitimate attack is often unmeasured, especially if the occurrence of the attack itself has remained undiscovered.

The financial cost of phishing attacks to UK-based organisations, on the other hand, is well known.

In 2012, the UK economy lost £405.8m to phishing attacks, an increase of 25% over the £304.4m lost in 2011. RSA reported that in 2012 there were, on average, more than 37,000 unique phishing attacks globally each month, compared with 21,500 per month in 2011.

Phishing attacks against organisations are rising in both number and sophistication, and as the quantity, diversity and confidentiality of data stored electronically increases, so does the risk presented by the phishing threat.

The primary issues faced by organisations include how to measure organisational susceptibility to phishing attacks, and how sustainably to reduce the risk posed by such attacks, given that they are increasing in both frequency and sophistication.

Do you really know your security posture?

Whilst a growing number of organisations now have stringent security controls, policies and procedures in place and frequently perform security assessments, these assessments often do not provide any insight into the susceptibility of an organisation or its employees to phishing attacks. Instead, security assessments usually focus on more ‘tangible’ vulnerabilities, such as security flaws within software or the insecure misconfiguration of network infrastructure.

To gauge your current security posture in terms of the risk posed by phishing attacks, ask yourself the following questions:

As part of your regular security assessments, have you ever performed a controlled phishing attack?

Would you expect your employees to click on a malicious link within an email? Would they then go on to disclose authentication credentials or attempt to download a malicious payload?

How many employees in your organisation would you expect to perform those actions?

Which offices and departments within your organisation are most likely to be susceptible to a phishing attack?

Therefore, do you know where your security training budget is best spent for maximum impact and ‘quick wins’?

Have you ever run security awareness campaigns? If so, how effective do you think they were?

If there were a phishing attack, would there be an internal response, or would it go unnoticed?

Is the response guaranteed to go as per policy and procedure, or would a real world attack be likely to cause chaos and confusion?

If there were a response, would it be sufficient to mitigate the risk posed by the attack?

Is your organisation more or less susceptible to phishing attacks than other organisations within the same market sector?

If you were unable to answer any of the above questions, or if you answered any with uncertainty, then your organisation’s security posture could certainly be improved.

The susceptibility of an organisation, and as such the risk associated with phishing attacks, is widely considered to be difficult to measure. * In some cases, phishing attacks, as an attack vector, are even overlooked entirely. In rare cases, where controlled phishing assessments are performed to measure risk, these are performed as one-time exercises and do not provide sufficient metrics to identify weak areas of an organisation. In these cases, the assessment does not have a sustained preventive effect: employees are still likely to click malicious links within emails only a few months after the engagement. Such engagements offer little to no value.

The risk posed by Phishing to your organisation

Executed well, a phishing attack can extract far more than domain credentials from your organisation. An attacker can use phishing attacks as a base to trick employees into downloading and running malicious software, in turn providing an attacker with a long-term, often undetected foothold inside the network, side stepping traditional security controls. Such a foothold is then often used to gain further access to corporate resources, such as file shares, from which assets can then be extracted.

A more determined attacker can go a stage further still. By enumerating the versions of client-side software, including the browser and plug-ins (in Java for example), as soon as an employee browses a malicious website after clicking a link in a phishing email, the attacker is able to identify and attempt to exploit any vulnerable client-side software accessible via the web-browser. If successful, the attacker would obtain a foothold within your network without the need even to prompt for the download of malicious software.

Once a foothold is obtained, an attacker can attempt to elevate their privilege level and begin to extract confidential data from the corporate network. Such data often includes financial information, such as payroll, client information or sales figures and projections. In many cases, it would also be possible for the attacker to modify data, thus affecting its integrity.

Ultimately, the real risk to a business from a successful phishing attack is loss of both money and reputation.

Measurement and mitigation of risk

The first stage of any plan to mitigate the risk posed to an organisation by phishing attacks is to measure the current level of susceptibility by performing a controlled attack against employees. Such an attack would ideally target a subset of employees from each department within the organisation. If appropriate, employees and departments from different offices should also be included within the test, in order to allow for the identification of any trends across the entire organisation. The data returned by such an assessment is invaluable in gauging current levels of susceptibility and providing information such as:

Number of users who clicked a malicious link within an email

Number of users who entered corporate domain credentials into a phishing website

Number of users who attempted to download a malicious executable

Breakdown of susceptible employees into various demographics, such as office, department or location

Activity over time (were users still clicking malicious links even after the internal security response?)

Use of weak passwords within corporate domain credentials

Did any employees reply directly to the phishing attack?

Comparison against the average susceptibility of other organisations in your market sector

Once a baseline has been established, strategies for mitigating risk should be investigated and implemented. There are a number of approaches that, when combined, are extremely effective in dramatically cutting the overall level of susceptibility:

Perform regular, controlled phishing attacks to maintain a heightened awareness, thus reducing the likelihood of employees clicking suspicious links within emails. Such phishing attacks should use a different ‘scenario’ each time, in order to prevent any attack being instantly recognisable. When performed quarterly or bi-annually, such assessments train employees to be suspicious of all unexpected emails containing links to third-party websites. In addition, regular exercises of this kind provide constant analysis against the baseline assessment and will demonstrate any shift in susceptibility over time and allow for the tracking of company performance.

Perform targeted training after assessments. Based on the data from each controlled phishing attack, look to identify trends in susceptibility within the organisation. It may be that your HR department was the most susceptible, or that employees within your London HQ were most likely to enter domain credentials into a third-party website. Use this data to target the most susceptible areas of the business with security training, in order to maximise the effectiveness of your training budget.

Review the internal response after each assessment. Identify key areas of weakness that require improvement. Did the initial attack get spotted by the security team? If not, identify the reason for this and address it through the introduction/modification of policies and procedures. Investigate technical solutions to support the identification of attacks such as the implementation of IDS, IPS or Email Monitoring Solutions. Generally, the efficiency, effectiveness and management of internal responses to phishing attacks and other threats will be enhanced with each assessment.

Controlled phishing attacks: What to expect

Generally, the advantages of regular controlled phishing attacks will be well understood within the technical areas of an organisation; however, there are various challenges that must be faced before such assessments are authorised and commissioned.

Often, the most significant hurdle is mitigating the risk of upsetting or embarrassing employees. Ensure that any employees who do click malicious links are not reprimanded or patronised, by ensuring that there is a strategy in place to explain the risks posed by phishing attacks and that formal training is provided where appropriate to help employees identify threats going forward.

Another issue is the fact that the assessment may have a detrimental effect on the corporate environment or network. Ensure that your supplier does not use any ‘payload’ for regular phishing assessments, i.e. employees’ attempts to download malicious software are recorded, but no malicious software is actually supplied.

Once regular assessments are commissioned, ensure that the key personnel within the organisation are aware of the assessment and know how to react, but do this on a need-to-know basis only. Generally, the heads of security and IT should be aware of the assessments, and should be prepared to intervene prior to any unnecessary actions being taken (such as replacing employee workstations).

For the first few controlled phishing attacks, expect large numbers of employees to be susceptible. It is not uncommon for 60-70% of employees targeted to click on the malicious links. Generally, there is a small drop-off (typically 5-10%) in employees who supply domain credentials and a further small drop-off (typically 2-4%) in those who then proceed to attempt to download a malicious executable.

In terms of internal response, anticipate some minor chaos for the first assessment. As security policies and procedures relevant to phishing attacks are tested for the first time, there are generally opportunities for improvement going forward. As long as procedures are in place to identify and document these opportunities, then progress can be made going forward, and, with each assessment, the internal response should become more efficient and streamlined. In the event of a real-world phishing attack, the internal response should have progressed to a stage where it is not only efficient but wholly effective.

From a return on investment perspective, the number of employees susceptible to phishing attacks can typically be expected to decrease by upwards of 25% per assessment, with most organisations seeing an overall susceptibility reduction of at least 90% after one year of quarterly controlled phishing assessments.

Summary

Despite being a long-established attack vector, phishing is a growing threat to organisations who, with the increasing amount of confidential data being stored electronically, have more to lose now than ever. It is common for organisations to struggle to measure their susceptibility to phishing attacks, with common security controls proving ineffective against the threat, and security assessments often overlooking phishing as a potential attack vector.

Regular phishing assessments performed in a structured, controlled manner provide a means to benchmark decreasing susceptibility over time. They can map out trends within your organisation, highlighting patterns in areas of the business that are most vulnerable. In addition to providing accurate metrics that allow the calculation of risk posed to your organisation, conducting quarterly or bi-annual phishing attacks helps to maintain a heightened awareness. This will decrease the risk posed to your organisation of a real-world attack, typically by upwards of 90%.

MWR InfoSecurity provide specialist advice and solutions in all areas of cyber security, from professional and managed services, through to developing commercial and open source security tools. More about MWR.